diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index a35c3158ea3..a77d4d20640 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,6 +4,7 @@ /avm/ @Azure/avm-core-team-technical-bicep /avm/utilities/ @Azure/avm-core-team-technical-bicep /avm/ptn/authorization/policy-assignment/ @Azure/avm-ptn-authorization-policyassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep +/avm/ptn/authorization/resource-role-assignment/ @Azure/avm-ptn-authorization-resourceroleassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep /avm/ptn/authorization/role-assignment/ @Azure/avm-ptn-authorization-roleassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep /avm/ptn/security/security-center/ @Azure/avm-ptn-security-securitycenter-module-owners-bicep @Azure/avm-core-team-technical-bicep /avm/res/aad/domain-service/ @Azure/avm-res-aad-domainservice-module-owners-bicep @Azure/avm-core-team-technical-bicep diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index 459c075404c..b84c60a9abd 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -39,6 +39,7 @@ body: options: - "" - "avm/ptn/authorization/policy-assignment" + - "avm/ptn/authorization/resource-role-assignment" - "avm/ptn/authorization/role-assignment" # - "avm/ptn/avd-lza/insights" # - "avm/ptn/avd-lza/management-plane" diff --git a/avm/ptn/authorization/resource-role-assignment/README.md b/avm/ptn/authorization/resource-role-assignment/README.md new file mode 100644 index 00000000000..c9e49c87228 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/README.md @@ -0,0 +1,274 @@ +# ResourceRole Assignments (All scopes) `[Microsoft.Authorization/resourceroleassignment]` + +This module deploys a Role Assignment for a specific resource. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/resource-role-assignment:`. + +- [Resource Role Assignments](#example-1-resource-role-assignments) +- [Resource Role Assignments](#example-2-resource-role-assignments) + +### Example 1: _Resource Role Assignments_ + +This module deploys a Role Assignment at a Resource scope using minimal parameters. + + +
+ +via Bicep module + +```bicep +module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:' = { + name: 'resourceRoleAssignmentDeployment' + params: { + // Required parameters + name: 'arramin001' + principalId: '' + resourceId: '' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + // Non-required parameters + location: '' + principalType: 'ServicePrincipal' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "arramin001" + }, + "principalId": { + "value": "" + }, + "resourceId": { + "value": "" + }, + "roleDefinitionId": { + "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" + }, + // Non-required parameters + "location": { + "value": "" + }, + "principalType": { + "value": "ServicePrincipal" + } + } +} +``` + +
+

+ +### Example 2: _Resource Role Assignments_ + +This module deploys a Role Assignment at a Resource scope using common parameters. + + +

+ +via Bicep module + +```bicep +module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:' = { + name: 'resourceRoleAssignmentDeployment' + params: { + // Required parameters + name: 'arrawaf001' + principalId: '' + resourceId: '' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + // Non-required parameters + location: '' + principalType: 'ServicePrincipal' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "arrawaf001" + }, + "principalId": { + "value": "" + }, + "resourceId": { + "value": "" + }, + "roleDefinitionId": { + "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" + }, + // Non-required parameters + "location": { + "value": "" + }, + "principalType": { + "value": "ServicePrincipal" + } + } +} +``` + +
+

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The unique guid name for the role assignment. | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`resourceId`](#parameter-resourceid) | string | The scope for the role assignment, fully qualified resourceId. | +| [`roleDefinitionId`](#parameter-roledefinitionid) | string | You can provide the role definition as a fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The Description of role assignment. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | +| [`roleName`](#parameter-rolename) | string | The name for the role, used for logging. | + +### Parameter: `name` + +The unique guid name for the role assignment. + +- Required: Yes +- Type: string + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `resourceId` + +The scope for the role assignment, fully qualified resourceId. + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionId` + +You can provide the role definition as a fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `description` + +The Description of role assignment. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableTelemetry` + +Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. + +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `principalType` + +The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` + +### Parameter: `roleName` + +The name for the role, used for logging. + +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment. | +| `resourceId` | string | The resource ID of the Role Assignment. | +| `roleName` | string | The name for the role, used for logging. | + +## Cross-referenced modules + +_None_ + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/resource-role-assignment/main.bicep b/avm/ptn/authorization/resource-role-assignment/main.bicep new file mode 100644 index 00000000000..801c735d22a --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/main.bicep @@ -0,0 +1,106 @@ +metadata name = 'ResourceRole Assignments (All scopes)' +metadata description = 'This module deploys a Role Assignment for a specific resource.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'subscription' + +// TODO: maybe a multiple roles assigned to a single principal? + +@sys.description('Required. The scope for the role assignment, fully qualified resourceId.') +param resourceId string + +@sys.description('Required. The unique guid name for the role assignment.') +param name string + +@sys.description('Required. You can provide the role definition as a fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleDefinitionId string + +@sys.description('Optional. The name for the role, used for logging.') +param roleName string = '' + +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') +param principalId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The Description of role assignment.') +param description string = '' + +@sys.description('Optional. Location deployment metadata.') +param location string = deployment().location + +@sys.description('Optional. Enable/Disable usage telemetry for module.') +param enableTelemetry bool = true + +// =============== // +// Definitions // +// =============== // + +resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = + if (enableTelemetry) { + name: '46d3xbcp.ptn.authorization-resourceroleassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '#_moduleVersion_#.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } + location: location + } + +resource resourceRoleAssignment 'Microsoft.Resources/deployments@2023-07-01' = { + name: take('rra-${name}-${last(split(resourceId,'/'))}', 64) + properties: { + mode: 'Incremental' + expressionEvaluationOptions: { + scope: 'Outer' + } + template: loadJsonContent('modules/generic-role-assignment.json') + parameters: { + scope: { + value: resourceId + } + name: { + value: name + } + roleDefinitionId: { + value: roleDefinitionId + } + principalId: { + value: principalId + } + principalType: { + value: principalType + } + description: { + value: description + } + } + } +} + +@sys.description('The GUID of the Role Assignment.') +output name string = name + +@sys.description('The name for the role, used for logging.') +output roleName string = roleName + +@sys.description('The resource ID of the Role Assignment.') +output resourceId string = resourceRoleAssignment.properties.outputs.roleAssignmentId.value diff --git a/avm/ptn/authorization/resource-role-assignment/main.json b/avm/ptn/authorization/resource-role-assignment/main.json new file mode 100644 index 00000000000..1ccd4d0d3ef --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/main.json @@ -0,0 +1,219 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "15111475392680889649" + }, + "name": "ResourceRole Assignments (All scopes)", + "description": "This module deploys a Role Assignment for a specific resource.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The scope for the role assignment, fully qualified resourceId." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The unique guid name for the role assignment." + } + }, + "roleDefinitionId": { + "type": "string", + "metadata": { + "description": "Required. You can provide the role definition as a fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "roleName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name for the role, used for logging." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Description of role assignment." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location deployment metadata." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "variables": { + "$fxv#0": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scope": { + "type": "string" + }, + "name": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User", + "" + ], + "defaultValue": "", + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[[parameters('scope')]", + "name": "[[parameters('name')]", + "properties": { + "roleDefinitionId": "[[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]", + "principalId": "[[parameters('principalId')]", + "principalType": "[[parameters('principalType')]", + "description": "[[parameters('description')]" + } + } + ], + "outputs": { + "roleAssignmentId": { + "type": "string", + "value": "[[extensionResourceId(parameters('scope'), 'Microsoft.Authorization/roleAssignments', parameters('name'))]" + } + } + } + }, + "resources": [ + { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[format('46d3xbcp.ptn.authorization-resourceroleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "#_moduleVersion_#.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + }, + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[take(format('rra-{0}-{1}', parameters('name'), last(split(parameters('resourceId'), '/'))), 64)]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "Outer" + }, + "template": "[variables('$fxv#0')]", + "parameters": { + "scope": { + "value": "[parameters('resourceId')]" + }, + "name": { + "value": "[parameters('name')]" + }, + "roleDefinitionId": { + "value": "[parameters('roleDefinitionId')]" + }, + "principalId": { + "value": "[parameters('principalId')]" + }, + "principalType": { + "value": "[parameters('principalType')]" + }, + "description": { + "value": "[parameters('description')]" + } + } + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[parameters('name')]" + }, + "roleName": { + "type": "string", + "metadata": { + "description": "The name for the role, used for logging." + }, + "value": "[parameters('roleName')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', take(format('rra-{0}-{1}', parameters('name'), last(split(parameters('resourceId'), '/'))), 64)), '2023-07-01').outputs.roleAssignmentId.value]" + } + } +} \ No newline at end of file diff --git a/avm/ptn/authorization/resource-role-assignment/modules/generic-role-assignment.json b/avm/ptn/authorization/resource-role-assignment/modules/generic-role-assignment.json new file mode 100644 index 00000000000..05e0607fd53 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/modules/generic-role-assignment.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scope": { + "type": "string" + }, + "name": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User", + "" + ], + "defaultValue": "", + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[parameters('scope')]", + "name": "[parameters('name')]", + "properties": { + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]", + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "description": "[parameters('description')]" + } + } + ], + "outputs": { + "roleAssignmentId": { + "type": "string", + "value": "[extensionResourceId(parameters('scope'), 'Microsoft.Authorization/roleAssignments', parameters('name'))]" + } + } +} \ No newline at end of file diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/dependencies.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/dependencies.bicep new file mode 100644 index 00000000000..ac2fbefc476 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/dependencies.bicep @@ -0,0 +1,28 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/main.test.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/main.test.bicep new file mode 100644 index 00000000000..1de1f7ed119 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/main.test.bicep @@ -0,0 +1,60 @@ +targetScope = 'subscription' +metadata name = 'Resource Role Assignments' +metadata description = 'This module deploys a Role Assignment at a Resource scope using minimal parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.resourceroleassignment-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'arramin' + +@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2023-07-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + location: resourceLocation + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + resourceId: nestedDependencies.outputs.storageAccountResourceId + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader + } + } +] diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/dependencies.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 00000000000..195c02ed8a5 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,28 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/main.test.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 00000000000..e0733c0c2c9 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,60 @@ +targetScope = 'subscription' +metadata name = 'Resource Role Assignments' +metadata description = 'This module deploys a Role Assignment at a Resource scope using common parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.resourceroleassignment-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'arrawaf' + +@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2023-07-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + location: resourceLocation + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + resourceId: '' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader + } + } +] diff --git a/avm/ptn/authorization/resource-role-assignment/version.json b/avm/ptn/authorization/resource-role-assignment/version.json new file mode 100644 index 00000000000..8def869edeb --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +}